- Use managed KMS/HSM-backed keys where possible.
- Rotate encryption keys and re-encrypt files on schedule.
- Limit decrypt permission to deployment/runtime principals only.
- Keep only encrypted secret files in Git.
- Enforce pre-commit checks to block plaintext secret commits.
- Review diffs carefully; metadata leaks can still reveal context.
¶ Access and Execution Controls
- Restrict local decryption to trusted admin workstations.
- Use ephemeral CI runners and avoid persistent decrypted artifacts.
- Mask secret values in CI/CD logs.
- Maintain key revocation and re-encryption playbooks.
- Audit decrypt operations via KMS logs.
- Test secret recovery after key rotation events.